Access forbidden when editing/deleting a block from the block layout with a machine name beginning with "." dot

Created on 18 October 2021, almost 4 years ago
Updated 7 August 2025, 1 day ago

Problem/Motivation

Editor that have access to the block layout, manually change the create block machine name and add a "." dot at the beginning.
This then create a block that cannot be edit or delete from the admin because the page return "Forbidden access".

We only manage to delete it from the database.

Steps to reproduce

  1. Go to https://simplytest.me/ and install drupal core 9.2.7
  2. Login to the generate website as admin and go to Structure > Block Layout > Custom block library
  3. Create a custom block. For example:
  4. Go back to Structure > Block Layout and Place a block in the Header:
  5. Select the "test" block from category Custom
  6. On the Configure block form, add a label "test" and edit the machine name by adding a "dot" at the beginning of the machine name. The machine name will be ".test":
  7. On the block layout page, you will see the newly add block in the region Header.
  8. Click on any of the operations for this block Configure/Disable/Remove bring the Forbidden page:

Proposed resolution

Unallow the "." dot in the machine name edition ( https://www.drupal.org/project/drupal/issues/2100203 β†’ )

πŸ› Bug report
Status

Active

Version

11.0 πŸ”₯

Component

block.module

Created by

πŸ‡©πŸ‡ͺGermany Tomefa Dresden

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • πŸ‡ΊπŸ‡ΈUnited States smustgrave

    This came up as the daily BSI target

    On 11.x I can confirm this is still an issue

    In the block.schema.yml I see

          type: machine_name
          label: 'ID'
          # Blocks have atypical machine names: they allow periods for historical reasons.
          # @see https://www.drupal.org/project/drupal/issues/2685917
          # @see https://www.drupal.org/project/drupal/issues/2043527
          constraints:
            Regex:
              pattern: '/^[a-z0-9_.]+$/'
              message: "The %value machine name is not valid."

    And the issue this was committed on πŸ“Œ Add config validation for the allowed characters of machine names Fixed

    I think the regex and schema should be updated so it can't start or end with a period.

Production build 0.71.5 2024